en[EVENT10016] SecurityCenter - How to change the startup type

Atom | RSS

このサイトを検索 | Search this site

,Japan

to japanese

With the update to Windows 10 v1809, three event logs that seem to be related to Windows Security Center are now recorded.

[CLSID]

1. Windows.SecurityCenter.WscBrokerManager
2. Windows.SecurityCenter.SecurityAppBroker
3. Windows.SecurityCenter.WscDataProtection

[Guid]

• {1b562e86-b7aa-4131-badc-b6f3a001407e}
  * A ~ C same Guid

The event log offers the following solutions:

"This security permission can be modified by using the Component Services administration tool."

Unfortunately,

Since "APPID: Unavailable", the APPID cannot be specified even if the component service is started.

To refresh the event viewer, you can stop recording in the event log. (PLAN-A)

Well, the main subject.

Another PC I own does not have a Windows.SecurityCenter.xxx error recorded, so I stumbled across the net in search of new information and came across information that could lead to repairs.

[Repair method]

• Change the Security Center service startup type from Automatic (Delayed Start) to Automatic.

The procedure is simple, but the Security Center service startup type is grayed out and cannot be changed normally.

[Patterns A, B, C]

1. Repair using ExecTI
2. Repair using Registry Editor
3. Stop recording event logs

Event Log

Of the three types of errors, the Windows.SecurityCenter.WscDataProtection log is posted.

Replace the remaining two logs with the same characters that have been replaced with the following characters in [Windows.SecurityCenter.WscDataProtection].

• Windows.SecurityCenter.WscBrokerManager
• Windows.SecurityCenter.SecurityAppBroker

Event Log

message	CLSID for application-specific permission settings Windows.SecurityCenter.WscDataProtection And APPID unusable Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool.
log name	system
Source	DistributedCOM
Event id	10016
level	error
user	SYSTEM
Opcode	information
Guid	{1b562e86-b7aa-4131-badc-b6f3a001407e}

Pattern A (ExecTI)

This procedure makes use of the free software ExecTI.

ExecTI is software that can launch programs and management consoles with TrustedInstaller privileges.

 External link

• ExecTI-Run as TrustedInstaller

 Related post

• ExecTI installation procedure etc .: Scrap 2nd.

Normally a Windows service started cannot be modified as the drop down list next to the Security Center startup type is grayed out, but a Windows service started from ExecTI can change the Security Center startup type. ..

A snapshot of the normally started Windows service

Reference: Windows startup process

1. Power on PC
2. Windows starts
3. Security Center starts delayed ← Error is recorded here
4. The login screen is displayed
5. log in
6. Start process end

This is the procedure to change "Automatic (Delayed Start)" of Security Center to "Automatic".

1. Start the service

Start the service from ExecTI.

1. Launch ExecTI
2. Type services.msc in the box next to Open
3. OK Click on the

2. Security Center

Once the service has started, look for Security Center and view its properties.

1. Find a Security Center
2. Double-click or right-click> select properties

3. Startup type

Change the startup type in the middle row to "Automatic".

After change	Automatic
Change before	Automatic (delay start)

4. End of procedure

This completes the procedure.

Restart your PC and check the Event Viewer.

Pattern B (Registry editor)

If you want to repair without using ExecTI, you can use Registry Editor.

Registry operations are at your own risk

Before working with Registry Editor
Make a backup copy of your registry in case something goes wrong.

The value to search for is the Security Center service name "wscsvc".

It hits in multiple places, but the edit target is the following hierarchy.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

To change from automatic (delayed start) to automatic, set DelayedAutoStart = 0.

Pattern C (stop logging)

You can refresh the event viewer by stopping recording in the event log.

The information in this section is a simplified version of the article posted as PLAN-A, so read the related article for detailed instructions.

This procedure follows the procedure recommended by Microsoft officials as it is a way to stop logging but ignore the event while it is occurring.

It's not a fundamental solution, but it's cleaner because it reduces the number of errors displayed in the Event Viewer.

Find the following key and change the Enabled value from 1 to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{1b562e86-b7aa-4131-badc-b6f3a001407e}

Summary

Countermeasures when Windows.SecurityCenter.WscDataProtection is recorded in the event log.

1. ignore
2. Change the startup type
3. Stop logging

About 10016 events

According to support.microsoft.com

The 10016 event is recorded when a Microsoft component tries to access a DCOM component without having the required permissions, and explains that it is the recommended action because it behaves according to Windows specifications.

Therefore,

The recommended action is to wait for the natural recovery.

SID (S-1-5-18)

I made a note of the "NT AUTHORITY\SYSTEM SID (S-1-5-18)" that was recorded in the event log.

S-1-5-18 is a SID (security identifier) ​​and is given to the built-in account (Local System) that is automatically created when Windows is installed.

Local System refers to the following accounts:

• SYSTEM
• Local Service
• Network Service

Document

Here's some tips that helped with this repair procedure:

You can basically ignore the error.

The cause is that various applications are preloaded in memory in the background before the user logs in to Windows, and it is caused by insufficient privileges.

When the application is officially launched at the time of login, it has been resolved by logging in, so there should be no harm.

This is also one of the reasons you shouldn't log in until you get slow access to your storage when you start Windows.
Microsoft community

 External link

• ExecTI-Run as TrustedInstaller | winaero.com
• Windows operating system known security identifier
• View and configure Windows services | it-word.net

Validation: Windows 10 Pro October 2018 Update, v1809.17763.503

SC2

ブログサークルSNS
クリックして応援してね！

このサイトを検索 | Search this site